I'm trying to get the Tenant.Read.All and Tenant.ReadWrite.All scopes when authorizing with the PBI REST API but I can't figure it out. I can get a token using Postman that contains every other scope but the two required for Admin calls to the API. I'm not using a service principal, just signing in when Postman gets a new token.
Related
Based on the doc (https://learn.microsoft.com/en-us/rest/api/azure/devops/tokens/pats/update?view=azure-devops-rest-7.1&tabs=HTTP) provided by MS, i'm trying to update my Token expiration date through the api. I made a sample request using a full access token to authenticate and passing the authorizationId of the token i want to update in the body:
My sample request using Postman
And it keeps returning Error 403, I've checked my organization policies and tried by adding or removing parameters from body but it din't work.
I've also made another request to get the list of tokens on my organization with the same token authorization and api version and that went well.
According to your screenshot you are using the Basic Auth with PAT.
Please note that you must authenticate with an Azure AD token to use this API instead of a PAT token. In order to call the API directly, you need to provide an Azure AD access token as a Bearer token in Authorization header of your request. Please see Manage personal access tokens (PATs) using REST API and Q: Can I use basic auth with all Azure DevOps REST APIs? for details.
You can follow below steps to get the AAD Bearer token:
Install the Azure Az PowerShell module.
Login with a user account which has the permission in your DevOps org (Owner or PCA) with command Connect-AzAccount
1.) Alternately login from the cloud shell with command Connect-AzAccount -UseDeviceAuthentication, you will see the following message:
2.) Then copy the url https://microsoft.com/devicelogin and open in a new tap, enter the code IVR7VRWJQ to authenticate.
3.) Login with the Azure DevOps organization owner or other PCA account. After successful login you will see the account info, then follow below steps to get the Bearer Token.
Get the Bearer token:
$token = (Get-AzAccessToken -ResourceUrl "499b84ac-1321-427f-aa17-267ca6975798").Token
$token
Copy and use the token in script or Postman to update the PAT.
I am trying to get the data of a signed in user using Microsoft graph API. I work with the "aad_oauth" package in flutter. When signing in, an access token is provided. This access token is then used in a http.get request.
However every time I try to get the data, the following error appears.
"{"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation:"
I also added a permission at the ad admin center.
That's how I get the access token
This is my http request
I tried to reproduce the same in my environment and got the below results:
I created an Azure AD application and added user.read permission:
Now I generated access token via Postman with below parameters:
GET https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
grant_type:authorization_code
client_id:1b323717-80d8-4172-b141-XXXXXX
client_secret:GTT8Q~PErY3nTbj9LO8Nkkm2ai.XXXXXXX
scope:user.read
code:code
redirect_uri: redirect_uri
To get the details of the signed-in user, I ran the below query by including bearer token:
GET https://graph.microsoft.com/v1.0/me/
While making a basic http calls from “Keycloak” to “Azure ADB2C” to retrieve a token as a response from AD B2C.
The current flow looks like this. For a Java web application which is integrated with the ‘Keycloak’ as an identity broker, and from the ‘Keycloak’ we have integrated with ‘Azure AD B2C’ as an identity provider for user authentication and to send the token response back to the keycloak request.
Use case 1: We have integrated a Azure ADB2C signin user flow endpoint in keycloak, which is sending the SignIn requests to b2c and retrieving the token as a response from Azure b2c is fine.
Use case 2: Have a blocker in this use case, While making a basic http header call from ‘Keycloak’ to “Azure AD B2C’, we are seeing an error code in the ‘keycloak’ logs as ‘Invalid_grant’, invalid_secret and ‘Invalid_credentials’ upon different calls passing from keycloak. And upon verifying in Azure ADB2C side, we haven’t found any logs for above request from ‘Keycloak’.
Is there any workaround or any changes has to be made In keycloak to handle a basic http calls to Azure ADB2C?
Thank you!!
For client to client calls, Azure AD B2C supports client_credntial flow:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
You can send the client_id and client_secret parameters in a Basic Authentication header.
we want to access the Keycloak (Version 10) REST API from one of our backend services. To authenticate, we have setup the followings:
new clients within our realm
enabled service account for that client
assigned all [1] roles of “realm-management” to the services account
Accessing the API, e.g. fetching a selected user always results in a 401 response.
Steps to make the requests are:
Retrieve access_token from https://my-keycloak.com/auth/realms/my-realm/protocol/openid-connect/token using grant_type=client_credentials + Client ID + Client Secret
Fetch user from https://my-keycloak.com/auth/realms/my-realm/users/some-user-id-4711
using the Authorization: Bearer $ACCESS_TOKEN with the Token from step 1.
My Question: Is it even possible to use a custom client or do we have to stick to login via admin-cli? How would we need to configure the custom client, to grant access to the REST API.
Thanks,
Martin
[1] Simply setting all roles for the sake of testing, regardless that we only want to read data in the end.
I have tried this URL : http://lists.jboss.org/pipermail/keycloak-user/2018-September/015665.html, though with no help.
i have an access token to call admin API's
Xtreme Biker is right.
I could get the url from UI console.
/realms//clients//installation/providers/keycloak-oidc-keycloak-json
using client name, client-id can be retrieved using endpoint
/auth/admin/realms/${realm}/clients?clientId=
The catch is the access token that has to be supplied to the admin endpoints to respond successfully.
Access token shall be retrieved using a credentials of a user who has 'manageclients' access to the client role of the realm under which the client is registered.